Skip to content
BrightPath

The research

Why we built it this way, and how it stacks up.

The security choices in BrightPath are not preferences. They follow published standards from NIST, OWASP, and Apple, and the privacy duties set out in Ontario’s PHIPA and the HIPAA Security Rule. Here is the evidence, and an honest comparison with the tools clinics already use.

The standards

Encryption done the way the field says to do it.

Each of these is a documented practice, not a marketing line. Open any source and check it.

AES-256-GCM is a named federal standard, not a home recipe

NIST Special Publication 800-38D specifies Galois/Counter Mode as authenticated encryption: one operation that gives confidentiality, integrity, and authenticity together. BrightPath encrypts every protected field with exactly this mode.

NIST SP 800-38D

It matches OWASP’s first choice for stored data

The OWASP Cryptographic Storage Cheat Sheet recommends AES with a 256-bit key in an authenticated mode such as GCM for sensitive data at rest, and says encryption should sit as a layer behind access control. BrightPath’s design maps onto that point for point.

OWASP Cryptographic Storage

A fresh nonce every time is the property that keeps GCM safe

NIST requires the nonce to be unique for the entire life of a key; reusing one breaks GCM completely. BrightPath generates a new random nonce for every single field it encrypts, which is why a value encrypted twice never looks the same.

NIST SP 800-38D (PDF)

Binding context to ciphertext stops substitution attacks

Associated data is authenticated but not encrypted, and it is bound into the tag so a ciphertext cannot be moved to another context and silently decrypt. AWS calls its version an encryption context; BrightPath binds scope, clinic, document, and field into every envelope.

AWS Encryption SDK

Device key storage is backed by hardware, not app storage

Modern mobile devices store secrets with hardware-backed keys in a dedicated secure subsystem, isolated from the main processor and never exposed to the operating-system kernel. BrightPath keeps its content keys in that secure storage, so the root of the key hierarchy is not sitting in plain app storage.

Apple Platform Security

Encryption is a second wall, on purpose

OWASP describes defense in depth as multiple independent controls, so no single failure is total. BrightPath treats field encryption as a layer behind authentication and access rules, so a child’s information stays sealed even if a rule is misconfigured or a database is copied.

OWASP security principles

The law

Built around the duties that actually apply.

BrightPath serves Ontario clinics first, so PHIPA is the reference point, with the HIPAA Security Rule as the framework for US contexts.

PHIPA sets a reasonable-safeguards duty

Ontario’s Personal Health Information Protection Act, s.12(1), requires custodians to take reasonable steps to protect personal health information against theft, loss, and unauthorized use, and to protect records from unauthorized copying or modification. Encryption, access control, and audit logging are the concrete measures that answer that duty.

PHIPA s.12 (CanLII)

PHIPA requires telling people when data is compromised

A custodian must notify affected individuals at the first reasonable opportunity, and notify Ontario’s privacy commissioner in defined breach circumstances. Minimizing stored readable data and encrypting what remains reduces both the chance and the severity of a notifiable breach.

IPC Ontario

PHIPA expects a public statement of safeguards

Custodians must have and make available a written statement describing the administrative, technical, and physical safeguards they use, and how a person can access or correct their records. A plain-language security page and privacy policy are part of meeting that expectation.

Guide to PHIPA (IPC)

HIPAA treats encryption as addressable, which is not optional

Under the HIPAA Security Rule, encrypting stored and transmitted ePHI is an addressable specification: an entity must implement it, or document why not and use an equivalent measure. Because BrightPath encrypts by default, there is no alternative to justify.

45 CFR 164.312 (eCFR)

Encrypted PHI can fall inside the breach safe harbor

The HIPAA Breach Notification Rule applies to unsecured PHI. PHI encrypted to the HHS standard is treated as secured, so a lost or stolen device generally does not trigger breach notification, provided the key was not also lost. This is one of the strongest arguments for encrypting by default.

HHS Breach Notification

A signed agreement is still required, and we say so

Where a vendor handles PHI, HIPAA requires a business associate agreement, and Ontario custodians need a written safeguards agreement with their service providers. Technical controls reduce exposure but do not replace those contracts. BrightPath is built to enter them, not to skip them.

HHS Business Associate Contracts

How we compare

Honest about where we lead, and where we do not.

Competitor details are drawn from each vendor’s own public security page, cited in the sources below, and reflect what those pages stated at the time of writing. BrightPath is newer and smaller than these products, so it leads on engineering specifics while honestly lacking the third-party audits some incumbents hold.

VendorEncryption in transitEncryption at restClient-side, per-field encryptionKeys the vendor cannot readIndependent audit (SOC 2 / HITRUST)Hosting
BrightPaththis appTLSAES-256-GCM, on top of cloud at-restYes, AES-256-GCM per fieldYes, keys held on the deviceNot yet, and we do not pretend otherwiseGoogle Cloud
CentralReachSSL / TLS“Encryption of data” (algorithm not published)Not publishedNot describedSOC 2 + HIPAA, verified by BDOAWS + Azure
RethinkTLS 1.2AES-256, database levelNot publishedNot describedHITRUST CSFAzure
MotivitySSL / TLS“Data encryption” (algorithm not published)Not publishedNot describedSOC 2 Type IIAzure
Catalyst / EnsoraSSL / HTTPS256-bit AES via AWS KMSNot publishedNot describedNot published for the ABA productAWS
Named and specific Present but unspecified Not yet in place

The context

A field that needs better tools, not more of them.

~9%

of BCBAs currently use data software to help set ABA service hours, room for tools that actually reduce the load.

ABA Matrix
~25%

of a BCBA’s time goes to direct client care; documentation and reports eat much of the rest.

ABA Matrix
$8B → ~$10B

the US ABA therapy market from 2025 toward 2030, a large and under-served field.

Stax